-
Google on Wednesday said it discovered an unknown threat actor using an experimental Visual Basic Script (VB Script) malware dubbed PROMPTFLUX that interacts with its Gemini artificial intelligence (AI) model API to write its own source code for improved obfuscation and evasion. “PROMPTFLUX is written in VBScript and interacts with Gemini’s API to request specific VBScript obfuscation and
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A sophisticated threat actor known as Curly COMrades has deployed an innovative attack methodology that leverages legitimate Windows virtualization features to establish covert, long-term access to victim networks.
The campaign, which began in early July 2025, represents a significant evolution in adversary tactics as threat actors increasingly seek methods to bypass endpoint detection and response solutions that have become standard defensive tools.
The operation centers on the abuse of Hyper-V virtualization technology on compromised Windows 10 machines.
By enabling the Hyper-V role and deploying a minimalistic Alpine Linux-based virtual machine, the attackers created a hidden operational environment that hosts custom malware while evading traditional host-based security monitoring.
The virtual machine, requiring only 120MB of disk space and 256MB of memory, provides a dedicated platform for running two custom implants: CurlyShell, a persistent reverse shell, and CurlCat, a reverse proxy tool.
Bitdefender researchers identified this advanced campaign through collaboration with the Georgian CERT, which detected a malicious sample communicating with a compromised site under monitoring.
The joint investigation revealed that Curly COMrades, first documented in August 2025 as a threat actor supporting Russian interests in geopolitical hotbeds, has significantly enhanced its toolkit and operational sophistication.
The forensic analysis uncovered that attackers effectively isolated their malware execution environment within a virtual machine, bypassing many traditional security detections by routing malicious traffic through the host’s network stack, making it appear to originate from legitimate IP addresses.
The attack demonstrates meticulous operational planning and technical expertise. Threat actors established persistence through multiple mechanisms, including PowerShell scripts configured via Group Policy for local account creation and Kerberos ticket manipulation for lateral movement.
.webp)
Attack flow (Source – Bitdefender) The deployment of various proxy and tunneling tools such as Resocks, Rsockstun, Ligolo-ng, CCProxy, and Stunnel further illustrates the group’s determination to maintain flexible access channels to compromised environments.
Virtual Machine Deployment and Persistence Mechanism
The deployment sequence begins with enabling the Hyper-V virtualization feature while deliberately disabling its management interface to reduce visibility. The attackers executed the following commands remotely:
dism /online /disable-feature /FeatureName:microsoft-hyper-v-Management-clients /norestart dism /online /enable-feature /All /LimitAccess /FeatureName:microsoft-hyper-v /norestartFollowing a brief interval, the threat actors initiated the payload delivery phase. A RAR archive disguised as a video file was downloaded and extracted to the deceptive directory `c:\programdata\microsoft\AppV\app`, a location designed to blend with legitimate Microsoft application virtualization files. The virtual machine files were then imported using PowerShell:
powershell.exe -c import-vm -path "c:\\programdata\\microsoft\\AppV\\app\\Virtual Machines\\1DBCC80B-5803-4AF1-8772-712C688F408A.vmcx" -Copy -GenerateNewId powershell.exe -c Start-VM -name WSLThe VM naming convention “WSL” serves as a deception tactic, suggesting the use of Windows Subsystem for Linux, a commonly trusted developer tool that typically receives less security scrutiny. However, this is a fully isolated Hyper-V instance operating outside the standard WSL framework.
Persistence within the virtual machine operates through a root-level crontab entry that executes every four hours at 20 minutes past the hour.
The cron task runs `/bin/alpine_init`, which subsequently launches the CurlyShell implant located at `/bin/init_tools`.
This custom reverse shell maintains HTTPS communication with the command and control infrastructure, while CurlCat manages SSH reverse proxy tunneling on demand.
The VM configuration utilizes Hyper-V’s Default Switch network adaptor with Network Address Translation, ensuring all malicious outbound traffic appears to originate from the compromised host machine’s legitimate IP address, significantly complicating attribution and detection efforts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Curly COMrades Hacker Group Using New Tools to Create Hidden Remote Access on Compromised Windows 10 appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Any individual heavily depends on data as their most critical asset: from memorable photos to important work documents, everything must be safeguarded properly.
Why? Simply because you can never predict what might happen to your data: you could lose your laptop with thousands of stored projects or accidentally delete entire folders containing your child’s photos.
The good news is that backups can easily protect you from these problems. And even better, you don’t have to pay to get an efficient data protection solution.
There’s a wide range of backup software available that offers a solid set of features for effective data protection completely free of charge for individual use.
The only thing that matters is understanding your requirements for these solutions: what to back up, how to do it, what limitations might prevent you from choosing a particular tool, and, finally, what the essentials of a perfect backup solution for home use are.
Free Backup Solutions Explained
Sometimes, unfortunately, “free” can mean “incomplete.”
Many solutions on the market are limited in functionality, and what might appear to be the same version as the paid product is often just a trimmed-down edition with blocked or removed features, designed to entice you into purchasing a more advanced version.
However, not all limitations are problematic for a home user. Free solutions may simply not offer advanced features that businesses or power users require, ensuring the software remains simple and manageable for individual users who don’t need them.
So, yes, these tools do work, but it’s important to understand their limitations and choose a solution that fits your needs as closely as possible.
Typical limitations can include lack of support, fewer or no advanced features (like image-based backup, for instance), and storage restrictions in terms of supported storage providers and the volume of data that can be backed up.
Still, for the most part, free backup solutions are more than enough for home users.
With the available features, you can successfully back up your data and protect your most valuable assets, but it’s still important to do your research to choose the solution that best fits your needs.
Key Features to Consider
Now, you need to understand the essential features of a free backup solution that you might want to check:
- Backup options supported: the most important types are file-level backup (for files and folders only) and image-based backup (a full snapshot of your entire system).
- Storage options supported: to follow the industry standard called 3-2-1-1-0 backup rule, you should be able to back up your data both locally and to the cloud. Some free editions may only support local storage or a very limited number of offsite storage destinations. The best choice is usually a solution that supports a BYOS (bring-your-own-storage) approach, allowing you to connect to the storage account of your choice.
- Customizable scheduling: the solution should allow you to schedule backups to run on specific days or at specific times.
- Customizable retention and versioning settings: the ability to retain multiple versions of files lets you restore the latest version if data is lost or corrupted.
- Security: some backup tools don’t encrypt your data while it’s being uploaded or stored, and they may not have features like object lock. Object lock is a feature that prevents your files from being deleted or changed for a certain period of time, adding an extra layer of protection against ransomware.
- Simplicity: for personal use, ease of deployment, installation, and use is critical. If the interface is overwhelming or you can’t find or understand the features you need, that’s a red flag and a reason to look for another solution.
- Upgrade options: if the free edition is limited to personal use, you should be able to scale up or access more advanced features easily. Usually, this means a smooth switch to the paid version or an option to enable paid features within your current solution.
Best Free Backup Solutions
According to recent reviews and round-ups, some of the top free tools include:
MSP360 Backup Free
MSP360 Free Backup software is a free backup solution for personal data backup.
For a free backup tool, MSP360 Backup Free provides a remarkably rich set of features: it runs on Windows, Linux, and macOS, and offers support for a wide range of cloud storage options like AWS, Wasabi Hot Cloud Storage, Backblaze B2, Microsoft Azure, Google Cloud, IDrive e2, and other S3-compatible storage providers.
With the recent update, the freeware also supports image-based backups and raises the storage limit to 5 TB – which is incredible for home users. This software also supports object lock making it an excellent choice for ransomware protection.
EaseUS ToDo Backup Free
EaseUS ToDo Backup Free is a solution for home use that features drive and partition imaging and file and folder backup for Windows.
As they state on their website, “advanced backup options are open to free users, such as incremental and differential backup, scheduled backup, encrypted backup, <…> and more”.
They also offer 250 GB of free storage for users (which is great, but might not be enough for the majority of home users), and if you run out of the storage space, you can purchase 1 TB of storage space for $20.
Paragon Backup & Recovery Community Edition
This free backup solution provides full support for Windows-based desktops, and supports both file-level and disk image backups.
Other features included in the free edition include password protection, compression, automatic scheduling, versioning, and more making this freeware a very strong and advanced choice for home users.
With Paragon freeware, you can back up your data to different types of drives and devices, including SSDs, HDDs, Windows Storage Spaces, advanced-format drives, and more.
Cobian Backup
Cobian Backup is one of the most advanced solutions on this list (which might be a little bit too much for home users, however, if you know exactly how your backups should be configured, you should opt for this solution) with support for multiple backup jobs creation, archiving to external hard drive or network location, and simultaneous backups to several locations.
You can also enable encryption to add an extra layer of protection for your files and enable encryption to save on storage space.
AOMEI Backupper Standard
Another great solution on our list is a free backup from AOMEI: it offers support for file, image, and system backup, and one-way sync and disaster recovery.
It’s a full-featured free backup solution for Windows: back up Windows OS, entire hard disk, partitions and individual files. With this solution, you can customize backup schedules, enable compression, configure email notification, and more.
Final Thoughts
Free backup software has matured to the point where it can offer surprisingly robust protection.
With careful selection, you can deploy a perfect solution that covers your data, provides off-site protection, and gives you peace of mind with no dime spent.
The post Guide to Choosing the Best Free Backup Software for Secure, Reliable Cloud Backup appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The Clop ransomware group continues to pose a significant threat to enterprise organizations worldwide, with recent analysis revealing their exploitation of a critical zero-day vulnerability in Oracle E-Business Suite. Operating since early 2019, Clop has established itself as one of the most prolific and sophisticated ransomware gangs, amassing a victim count exceeding 1,025 organizations and […]
The post Clop Ransomware Group Exploits New 0-Day Vulnerabilities in Active Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The notorious FIN7 threat group, also known by the nickname Savage Ladybug, continues to pose a significant risk to enterprise environments through an increasingly refined Windows SSH backdoor campaign.
The group has been actively deploying this sophisticated backdoor mechanism to establish persistent remote access and facilitate data exfiltration operations.
First documented in 2022, the malware has remained largely unchanged in its core functionality, suggesting that FIN7 has found a highly effective attack methodology that continues to evade traditional detection mechanisms.
The attack campaign leverages a combination of batch script execution and legitimate OpenSSH toolsets to create a covert communication channel between compromised systems and attacker-controlled infrastructure.
By exploiting the trust typically placed in SSH protocols, FIN7 operatives can establish reverse SSH and SFTP connections that bypass conventional network monitoring and appear as legitimate administrative traffic.
This technique demonstrates the group’s sophisticated understanding of system administration tools and their ability to weaponize widely-available utilities for malicious purposes.
— PRODAFT (@PRODAFT) November 4, 2025
FIN7 (Savage Ladybug) still using the same Windows SSH backdoor with only small changes since 2022.
install.bat + OpenSSH toolset → reverse SSH/SFTP for stealth & exfil.
Check recent IOCs: https://t.co/22WtpSC8H8 #CyberSecurity #ThreatIntelligence #Malware #IOC pic.twitter.com/KPcaBYsOruPRODAFT analysts and researchers identified that the malware employs an install.bat script paired with OpenSSH components to automate the deployment and configuration process.
This approach significantly reduces the operational complexity for threat actors while maintaining a low profile across security logs and event monitoring systems.
Persistence Mechanisms and Evasion Tactics
The persistence strategy employed by FIN7’s SSH backdoor represents a particularly insidious aspect of the threat.
By establishing SSH access points on compromised Windows systems, the attackers ensure continued access even after initial compromise vectors are remediated.
The reverse SSH tunnel configuration allows operators to maintain command and control communication through encrypted channels, making it substantially more difficult for security teams to detect malicious traffic patterns.
The backdoor’s ability to execute both SSH and SFTP operations provides attackers with multiple pathways for data extraction and lateral movement within network environments.
Security researchers have documented that the malware maintains minimal modification signatures, relying instead on legitimate system components to avoid triggering behavioral detection rules.
Organizations must implement robust SSH access controls, monitor for anomalous SSH connection patterns, and maintain comprehensive network segmentation to effectively counter this persistent threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post FIN7 Hackers Using Windows SSH Backdoor to Establish Stealthy Remote Access and Persistence appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Microsoft has issued an urgent advisory for Windows users, confirming that a recent set of security updates released after October 14, 2025 may cause certain systems to boot into the BitLocker recovery screen upon restart. The issue, currently under active investigation, has resulted in user reports of unexpected prompts for BitLocker recovery keys following device […]
The post Microsoft Issues Alert: BitLocker Recovery Risk After October 2025 Updates appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cybersecurity researchers have disclosed a new set of vulnerabilities impacting OpenAI’s ChatGPT artificial intelligence (AI) chatbot that could be exploited by an attacker to steal personal information from users’ memories and chat histories without their knowledge. The seven vulnerabilities and attack techniques, according to Tenable, were found in OpenAI’s GPT-4o and GPT-5 models. OpenAI has
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cybersecurity threats targeting mobile devices and critical infrastructure have reached alarming new heights, according to Zscaler’s latest research. The latest findings from Zscaler, Inc. (NASDAQ: ZS) expose a sophisticated campaign by threat actors who have successfully infiltrated Google’s official app marketplace with hundreds of malicious applications. The company’s ThreatLabz 2025 Mobile, IoT, and OT Threat […]
The post Beware: 239 Dangerous Android Apps Found on Google Play with 40M+ Installs appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The cybercriminal underground has witnessed a significant consolidation as three of the most notorious threat actors Scattered Spider, ShinyHunters, and LAPSUS$ have formally aligned to create the Scattered LAPSUS$ Hunters (SLH), a federated collective that emerged in early August 2025. This strategic merger represents a departure from traditional standalone operations, presenting a sophisticated threat model […]
The post Three Infamous Hacker Groups Join Forces as the ‘Scattered LAPSUS$ Hunters appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Gladinet CentreStack and Triofox to its Known Exploited Vulnerabilities catalog, signaling active exploitation in the wild. The flaw, tracked as CVE-2025-11371, exposes sensitive system files to unauthorized external parties, posing a significant risk to organizations relying on these cloud file-sharing platforms. Overview […]
The post CISA Issues Alert on Gladinet CentreStack and Triofox Vulnerabilities Under Active Exploitation appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
